The Anti-virus Times

Harmful and useful

Read: 812Comments: 3Rating: 17

An ongoing war has been raging for years between researchers, who claim they’ve found defects that will cause the world to end or worse, and software developers, who claim that those defects aren't really that severe. "It's not a bug; it's an undocumented feature", that's what developers usually say in their defence.

As a rule, situations of this kind occur because developers do not factor in all the situations in which their programs will operate or the behaviour of those using them. For example, one can use a smartphone to shovel snow, and sometimes it may indeed come in handy for that.

When we say "a bug", we usually mean that a program doesn't work the way it’s supposed to or that it can be used to perform tasks it’s not supposed to.

Defects can also be caused by mistakes made during a program’s development or testing, such as failing to test the application in all possible situations, library errors, etc.

Defects (including vulnerabilities) probably exist in all programs except "Hello, World!", but their severity varies. In fact, some defects do not manifest themselves on their own. For example, to deploy an exploit, attackers may need full access to a target computer, and administrative privileges to boot. But, in this case (if attackers acquire the privileges), why bother with an exploit if a malicious act can be executed manually?

This is one of the reasons why developers may refuse to resolve an issue: users are highly unlikely to encounter it in real life. However, all kinds of things can happen…

Awhile ago, Microsoft refused to release a security patch to close a TCP/IP stack vulnerability under Windows XP and Windows 2000. "We're talking about code that originated 12 to 15 years ago and is too old, so backporting it is simply not feasible," said Microsoft’s security program manager Adrian Stone.

Google refused to resolve an issue involving the 'continue' parameter on the Google login page (https://accounts.google.com/ServiceLogin?service=mail) Moreover, in a reply to Aidan Woods who reported the issue, the corporation indicated that it didn't regard the defect as a security problem.

Appending ‘continue=[link]’ to the login page’s URL allows users to be redirected to the Google service they intend to use (provided that they enter the correct password).

To avoid phishing attacks, Google restricted this parameter’s use to google.com addresses. That way, a user can be redirected to drive.google.com or docs.google.com, but not to example.com. Woods found a way to bypass this restriction. According to Woods, Google’s server doesn't check whether the link that follows the amp parameter is secure. Also, a link can direct a user to any site on the Internet.

It should be noted that in the Google Webmasters blog, the company stated that it didn't regard open redirect URLs as a security issue.

It looks like a feature, right? Or is it an issue? Apparently, there’s no simple answer. The technology is intended to facilitate easy navigation between web resources; it can also be used to direct visitors between partner sites. To put restrictions in place, the technology will need to be modified. And although that may not be very difficult, it can cause other issues to crop up. For example, if a technology’s use is limited to the addresses in a certain database, someone can compromise that database.

Indeed, this scenario presents a golden opportunity for phishers, but to make sure that this feature doesn't become an issue, one must simply avoid clicking on links in dubious messages. And if you do click without thinking, none of Google’s security measures will save you from impending catastrophe.

Dr.Web recommends

If someone tells you about a miraculous cure or that judgment day is at hand, etc., make the effort to learn about counter arguments. As far as information security is concerned, don’t believe all the claims and statements you hear because:

Danger doesn't come from a defect but rather from an exploit that leverages it.

It can cost companies millions to resolve a defect, money they may not have to spend. Is it worth fixing a defect if the probability of it being exploited by attackers is low? And if the answer to that is no, is there any reason to spend money on fixing it?

Doctor Web is the Russian developer of Dr.Web anti-virus software. We have been developing our products since 1992. The company is a key player on the Russian market for software that meets the fundamental need of any business — information security. Doctor Web is one of the few anti-virus vendors in the world to have its own technologies to detect and cure malware. Our anti-virus protection system allows the information systems of our customers to be protected from any threats, even those still unknown. Doctor Web was the first company in Russia to offer an anti-virus as a service and, to this day, is still the undisputed Russian market leader in Internet security services for service providers. Doctor Web has received state certificates and awards; our satisfied customers spanning the globe are clear evidence of the high quality of the products created by our talented Russian programmers.